diff --git a/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index 59386f7de22..228a5e61600 100644 --- a/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -5,7 +5,52 @@ featureGates: - KMSEncryptionProvider tests: onCreate: - - name: Should be able to create encrypt with KMS for AWS with valid values + - name: Should be able to create encrypt with KMS for Manual provider with valid name + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Manual + manual: + name: my-kms-plugin + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + encryption: + type: KMS + kms: + type: Manual + manual: + name: my-kms-plugin + - name: Should fail to create KMS Manual provider without manual config + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Manual + expectedError: "manual config with non-empty name is required when kms provider type is Manual" + - name: Should fail to create KMS Manual provider with empty name + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Manual + manual: + name: "" + expectedError: "spec.encryption.kms.manual.name: Invalid value" + - name: Should be able to create KMS with AWS provider and valid aws config initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -15,7 +60,7 @@ tests: kms: type: AWS aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a + keyARN: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ab12-cd34-ef56-abcdef123456 region: us-east-1 expected: | apiVersion: config.openshift.io/v1 @@ -28,9 +73,9 @@ tests: kms: type: AWS aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a + keyARN: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ab12-cd34-ef56-abcdef123456 region: us-east-1 - - name: Should fail to create encrypt with KMS for AWS without region + - name: Should fail to create KMS AWS provider without aws config initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -39,32 +84,32 @@ tests: type: KMS kms: type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - expectedError: "spec.encryption.kms.aws.region: Required value" - - name: Should not allow kms config with encrypt aescbc + expectedError: "aws config is required when kms provider type is AWS" + - name: Should fail to create KMS with invalid provider type initial: | apiVersion: config.openshift.io/v1 kind: APIServer spec: encryption: - type: aescbc + type: KMS kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: us-east-1 - expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise" - - name: Should fail to create with an empty KMS config + type: InvalidType + manual: + name: my-plugin + expectedError: "supported values: \"AWS\", \"Manual\"" + - name: Should fail to create KMS Manual provider with name longer than 80 characters initial: | apiVersion: config.openshift.io/v1 kind: APIServer spec: encryption: type: KMS - kms: {} - expectedError: "spec.encryption.kms.type: Required value" - - name: Should fail to create with kms type AWS but without aws config + kms: + type: Manual + manual: + name: this-is-a-very-long-name-that-exceeds-the-maximum-allowed-length-of-eighty-characters-for-kms-plugin + expectedError: "Too long: may not be more than 80 bytes" + - name: Should fail to create KMS Manual provider with name containing forward slash initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -72,9 +117,11 @@ tests: encryption: type: KMS kms: - type: AWS - expectedError: "aws config is required when kms provider type is AWS, and forbidden otherwise" - - name: Should fail to create AWS KMS without a keyARN + type: Manual + manual: + name: invalid/path + expectedError: "name must be a safe socket filename (must not contain '/' or '..')" + - name: Should fail to create KMS Manual provider with name containing double dots initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -82,11 +129,11 @@ tests: encryption: type: KMS kms: - type: AWS - aws: - region: us-east-1 - expectedError: "spec.encryption.kms.aws.keyARN: Required value" - - name: Should fail to create AWS KMS with invalid keyARN format + type: Manual + manual: + name: ../escape + expectedError: "name must be a safe socket filename (must not contain '/' or '..')" + - name: Should fail to create KMS Manual provider with name containing double dots in middle initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -94,12 +141,32 @@ tests: encryption: type: KMS kms: - type: AWS - aws: - keyARN: not-a-kms-arn - region: us-east-1 - expectedError: "keyARN must follow the format `arn:aws:kms:::key/`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)." - - name: Should fail to create AWS KMS with empty region + type: Manual + manual: + name: some..name + expectedError: "name must be a safe socket filename (must not contain '/' or '..')" + - name: Should not allow kms config with encrypt aescbc + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: aescbc + kms: + type: Manual + manual: + name: my-plugin + expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise" + - name: Should fail to create with an empty KMS config + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: {} + expectedError: "spec.encryption.kms.type: Required value" + - name: Should fail to create KMS AWS with invalid keyARN format initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -109,10 +176,10 @@ tests: kms: type: AWS aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: "" - expectedError: "spec.encryption.kms.aws.region in body should be at least 1 chars long" - - name: Should fail to create AWS KMS with invalid region format + keyARN: invalid-arn-format + region: us-east-1 + expectedError: "keyARN must follow the format" + - name: Should fail to create KMS AWS with invalid region format initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -122,6 +189,6 @@ tests: kms: type: AWS aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: "INVALID-REGION" - expectedError: "region must be a valid AWS region, consisting of lowercase characters, digits and hyphens (-) only." + keyARN: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ab12-cd34-ef56-abcdef123456 + region: INVALID_REGION + expectedError: "region must be a valid AWS region" diff --git a/config/v1/types_kmsencryption.go b/config/v1/types_kmsencryption.go index 3293204fa4e..d6d489bbf20 100644 --- a/config/v1/types_kmsencryption.go +++ b/config/v1/types_kmsencryption.go @@ -2,26 +2,51 @@ package v1 // KMSConfig defines the configuration for the KMS instance // that will be used with KMSEncryptionProvider encryption +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Manual' ? (has(self.manual) && has(self.manual.name) && self.manual.name != '') : !has(self.manual)",message="manual config with non-empty name is required when kms provider type is Manual, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'AWS' ? has(self.aws) : !has(self.aws)",message="aws config is required when kms provider type is AWS, and forbidden otherwise" // +union type KMSConfig struct { // type defines the kind of platform for the KMS provider. - // Available provider types are AWS only. + // Available provider types are AWS, Manual. // // +unionDiscriminator // +required Type KMSProviderType `json:"type"` + // manual defines the configuration for manually managed KMS plugins. + // The KMS plugin must be deployed as a static pod by the cluster admin. + // + // +unionMember + // +optional + Manual *ManualKMSConfig `json:"manual,omitempty"` + // aws defines the key config for using an AWS KMS instance // for the encryption. The AWS KMS instance is managed // by the user outside the purview of the control plane. + // Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. // // +unionMember // +optional AWS *AWSKMSConfig `json:"aws,omitempty"` } +// ManualKMSConfig defines the configuration for manually managed KMS plugins +type ManualKMSConfig struct { + // name specifies the KMS plugin name. + // This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + // and is between 1 and 80 characters in length. + // The KMS plugin must listen at this socket path. + // The name must be a safe socket filename and must not contain '/' or '..'. + // + // +kubebuilder:validation:MaxLength=80 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:XValidation:rule="!self.contains('/') && !self.contains('..')",message="name must be a safe socket filename (must not contain '/' or '..')" + // +optional + Name string `json:"name,omitempty"` +} + // AWSKMSConfig defines the KMS config specific to AWS KMS provider +// Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. type AWSKMSConfig struct { // keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. // The value must adhere to the format `arn:aws:kms:::key/`, where: @@ -46,10 +71,15 @@ type AWSKMSConfig struct { } // KMSProviderType is a specific supported KMS provider -// +kubebuilder:validation:Enum=AWS +// +kubebuilder:validation:Enum=AWS;Manual type KMSProviderType string const ( // AWSKMSProvider represents a supported KMS provider for use with AWS KMS + // Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. AWSKMSProvider KMSProviderType = "AWS" + + // ManualKMSProvider represents a supported KMS provider is managed by user manually not by OpenShift. + // KMS plugin is supposed to be run as static pods on each control plane + ManualKMSProvider KMSProviderType = "Manual" ) diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index f4416bf9b3c..fa26a9059a3 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,17 +207,42 @@ spec: - keyARN - region type: object + manual: + description: |- + manual defines the configuration for manually managed KMS plugins. + The KMS plugin must be deployed as a static pod by the cluster admin. + properties: + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not + contain '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' + type: object type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are AWS, Manual. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: + - message: manual config with non-empty name is required when + kms provider type is Manual, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) + && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - message: aws config is required when kms provider type is AWS, and forbidden otherwise rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index bfeefa11f36..d70ec8d40e1 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,17 +207,42 @@ spec: - keyARN - region type: object + manual: + description: |- + manual defines the configuration for manually managed KMS plugins. + The KMS plugin must be deployed as a static pod by the cluster admin. + properties: + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not + contain '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' + type: object type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are AWS, Manual. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: + - message: manual config with non-empty name is required when + kms provider type is Manual, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) + && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - message: aws config is required when kms provider type is AWS, and forbidden otherwise rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index a49976e0dfd..bb5e60c71dd 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,17 +207,42 @@ spec: - keyARN - region type: object + manual: + description: |- + manual defines the configuration for manually managed KMS plugins. + The KMS plugin must be deployed as a static pod by the cluster admin. + properties: + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not + contain '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' + type: object type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are AWS, Manual. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: + - message: manual config with non-empty name is required when + kms provider type is Manual, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) + && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - message: aws config is required when kms provider type is AWS, and forbidden otherwise rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go index 30b85b78e96..bb715c9a29b 100644 --- a/config/v1/zz_generated.deepcopy.go +++ b/config/v1/zz_generated.deepcopy.go @@ -3832,6 +3832,11 @@ func (in *IntermediateTLSProfile) DeepCopy() *IntermediateTLSProfile { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KMSConfig) DeepCopyInto(out *KMSConfig) { *out = *in + if in.Manual != nil { + in, out := &in.Manual, &out.Manual + *out = new(ManualKMSConfig) + **out = **in + } if in.AWS != nil { in, out := &in.AWS, &out.AWS *out = new(AWSKMSConfig) @@ -4059,6 +4064,22 @@ func (in *MTUMigrationValues) DeepCopy() *MTUMigrationValues { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ManualKMSConfig) DeepCopyInto(out *ManualKMSConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManualKMSConfig. +func (in *ManualKMSConfig) DeepCopy() *ManualKMSConfig { + if in == nil { + return nil + } + out := new(ManualKMSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MaxAgePolicy) DeepCopyInto(out *MaxAgePolicy) { *out = *in diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index a3919b9a489..507545551e2 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,17 +207,42 @@ spec: - keyARN - region type: object + manual: + description: |- + manual defines the configuration for manually managed KMS plugins. + The KMS plugin must be deployed as a static pod by the cluster admin. + properties: + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not + contain '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' + type: object type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are AWS, Manual. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: + - message: manual config with non-empty name is required when + kms provider type is Manual, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) + && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - message: aws config is required when kms provider type is AWS, and forbidden otherwise rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index b2d021729be..a3f4025e2a2 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -2326,7 +2326,7 @@ func (Storage) SwaggerDoc() map[string]string { } var map_AWSKMSConfig = map[string]string{ - "": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", + "": "AWSKMSConfig defines the KMS config specific to AWS KMS provider Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", "keyARN": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", "region": "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", } @@ -2336,15 +2336,25 @@ func (AWSKMSConfig) SwaggerDoc() map[string]string { } var map_KMSConfig = map[string]string{ - "": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", - "type": "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", - "aws": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", + "": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", + "type": "type defines the kind of platform for the KMS provider. Available provider types are AWS, Manual.", + "manual": "manual defines the configuration for manually managed KMS plugins. The KMS plugin must be deployed as a static pod by the cluster admin.", + "aws": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", } func (KMSConfig) SwaggerDoc() map[string]string { return map_KMSConfig } +var map_ManualKMSConfig = map[string]string{ + "": "ManualKMSConfig defines the configuration for manually managed KMS plugins", + "name": "name specifies the KMS plugin name. This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock and is between 1 and 80 characters in length. The KMS plugin must listen at this socket path. The name must be a safe socket filename and must not contain '/' or '..'.", +} + +func (ManualKMSConfig) SwaggerDoc() map[string]string { + return map_ManualKMSConfig +} + var map_ClusterNetworkEntry = map[string]string{ "": "ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs are allocated.", "cidr": "The complete block for pod IPs.", diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index dbe2b5b3857..a418bdb6ca5 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -325,6 +325,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.LoadBalancer": schema_openshift_api_config_v1_LoadBalancer(ref), "github.com/openshift/api/config/v1.MTUMigration": schema_openshift_api_config_v1_MTUMigration(ref), "github.com/openshift/api/config/v1.MTUMigrationValues": schema_openshift_api_config_v1_MTUMigrationValues(ref), + "github.com/openshift/api/config/v1.ManualKMSConfig": schema_openshift_api_config_v1_ManualKMSConfig(ref), "github.com/openshift/api/config/v1.MaxAgePolicy": schema_openshift_api_config_v1_MaxAgePolicy(ref), "github.com/openshift/api/config/v1.ModernTLSProfile": schema_openshift_api_config_v1_ModernTLSProfile(ref), "github.com/openshift/api/config/v1.NamedCertificate": schema_openshift_api_config_v1_NamedCertificate(ref), @@ -9174,7 +9175,7 @@ func schema_openshift_api_config_v1_AWSKMSConfig(ref common.ReferenceCallback) c return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AWSKMSConfig defines the KMS config specific to AWS KMS provider", + Description: "AWSKMSConfig defines the KMS config specific to AWS KMS provider Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "keyARN": { @@ -16148,15 +16149,21 @@ func schema_openshift_api_config_v1_KMSConfig(ref common.ReferenceCallback) comm Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", + Description: "type defines the kind of platform for the KMS provider. Available provider types are AWS, Manual.", Default: "", Type: []string{"string"}, Format: "", }, }, + "manual": { + SchemaProps: spec.SchemaProps{ + Description: "manual defines the configuration for manually managed KMS plugins. The KMS plugin must be deployed as a static pod by the cluster admin.", + Ref: ref("github.com/openshift/api/config/v1.ManualKMSConfig"), + }, + }, "aws": { SchemaProps: spec.SchemaProps{ - Description: "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", + Description: "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", Ref: ref("github.com/openshift/api/config/v1.AWSKMSConfig"), }, }, @@ -16169,7 +16176,8 @@ func schema_openshift_api_config_v1_KMSConfig(ref common.ReferenceCallback) comm map[string]interface{}{ "discriminator": "type", "fields-to-discriminateBy": map[string]interface{}{ - "aws": "AWS", + "aws": "AWS", + "manual": "Manual", }, }, }, @@ -16177,7 +16185,7 @@ func schema_openshift_api_config_v1_KMSConfig(ref common.ReferenceCallback) comm }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.AWSKMSConfig"}, + "github.com/openshift/api/config/v1.AWSKMSConfig", "github.com/openshift/api/config/v1.ManualKMSConfig"}, } } @@ -16568,6 +16576,26 @@ func schema_openshift_api_config_v1_MTUMigrationValues(ref common.ReferenceCallb } } +func schema_openshift_api_config_v1_ManualKMSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ManualKMSConfig defines the configuration for manually managed KMS plugins", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name specifies the KMS plugin name. This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock and is between 1 and 80 characters in length. The KMS plugin must listen at this socket path. The name must be a safe socket filename and must not contain '/' or '..'.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + func schema_openshift_api_config_v1_MaxAgePolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/openapi/openapi.json b/openapi/openapi.json index 97afd57f431..aec4bf3bf33 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -4454,7 +4454,7 @@ ] }, "com.github.openshift.api.config.v1.AWSKMSConfig": { - "description": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", + "description": "AWSKMSConfig defines the KMS config specific to AWS KMS provider Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", "type": "object", "required": [ "keyARN", @@ -4572,6 +4572,19 @@ } } }, + "com.github.openshift.api.config.v1.AcceptRisk": { + "description": "AcceptRisk represents a risk that is considered acceptable.", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "description": "name is the name of the acceptable risk. It must be a non-empty string and must not exceed 256 characters.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1.AdmissionConfig": { "type": "object", "properties": { @@ -5859,6 +5872,18 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.ClusterVersionCapabilitiesStatus" }, + "conditionalUpdateRisks": { + "description": "conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. The risk names in the list must be unique. conditionalUpdateRisks must not contain more than 500 entries.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ConditionalUpdateRisk" + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, "conditionalUpdates": { "description": "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.", "type": "array", @@ -6066,6 +6091,15 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.Release" }, + "riskNames": { + "description": "riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. Entries must be unique and must not exceed 256 characters. riskNames must not contain more than 500 entries.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "set" + }, "risks": { "description": "risks represents the range of issues associated with updating to the target release. The cluster-version operator will evaluate all entries, and only recommend the update if there is at least one entry and all entries recommend the update.", "type": "array", @@ -6092,6 +6126,18 @@ "matchingRules" ], "properties": { + "conditions": { + "description": "conditions represents the observations of the conditional update risk's current status. Known types are: * Applies, for whether the risk applies to the current cluster. The condition's types in the list must be unique. conditions must not contain more than one entry.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, "matchingRules": { "description": "matchingRules is a slice of conditions for deciding which clusters match the risk and which do not. The slice is ordered by decreasing precedence. The cluster-version operator will walk the slice in order, and stop after the first it can successfully evaluate. If no condition can be successfully evaluated, the update will not be recommended.", "type": "array", @@ -8499,11 +8545,15 @@ ], "properties": { "aws": { - "description": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", + "description": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", "$ref": "#/definitions/com.github.openshift.api.config.v1.AWSKMSConfig" }, + "manual": { + "description": "manual defines the configuration for manually managed KMS plugins. The KMS plugin must be deployed as a static pod by the cluster admin.", + "$ref": "#/definitions/com.github.openshift.api.config.v1.ManualKMSConfig" + }, "type": { - "description": "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", + "description": "type defines the kind of platform for the KMS provider. Available provider types are AWS, Manual.", "type": "string", "default": "" } @@ -8512,7 +8562,8 @@ { "discriminator": "type", "fields-to-discriminateBy": { - "aws": "AWS" + "aws": "AWS", + "manual": "Manual" } } ] @@ -8749,6 +8800,16 @@ } } }, + "com.github.openshift.api.config.v1.ManualKMSConfig": { + "description": "ManualKMSConfig defines the configuration for manually managed KMS plugins", + "type": "object", + "properties": { + "name": { + "description": "name specifies the KMS plugin name. This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock and is between 1 and 80 characters in length. The KMS plugin must listen at this socket path. The name must be a safe socket filename and must not contain '/' or '..'.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1.MaxAgePolicy": { "description": "MaxAgePolicy contains a numeric range for specifying a compliant HSTS max-age for the enclosing RequiredHSTSPolicy", "type": "object", @@ -11590,6 +11651,18 @@ "description": "Update represents an administrator update request.", "type": "object", "properties": { + "acceptRisks": { + "description": "acceptRisks is an optional set of names of conditional update risks that are considered acceptable. A conditional update is performed only if all of its risks are acceptable. This list may contain entries that apply to current, previous or future updates. The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. acceptRisks must not contain more than 1000 entries. Entries in this list must be unique.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.AcceptRisk" + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, "architecture": { "description": "architecture is an optional field that indicates the desired value of the cluster architecture. In this context cluster architecture means either a single architecture or a multi architecture. architecture can only be set to Multi thereby only allowing updates from single to multi architecture. If architecture is set, image cannot be set and version must be set. Valid values are 'Multi' and empty.", "type": "string", @@ -11624,7 +11697,7 @@ ], "properties": { "acceptedRisks": { - "description": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", + "description": "acceptedRisks records risks which were accepted to initiate the update. For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", "type": "string" }, "completionTime": { diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index f4416bf9b3c..fa26a9059a3 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,17 +207,42 @@ spec: - keyARN - region type: object + manual: + description: |- + manual defines the configuration for manually managed KMS plugins. + The KMS plugin must be deployed as a static pod by the cluster admin. + properties: + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not + contain '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' + type: object type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are AWS, Manual. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: + - message: manual config with non-empty name is required when + kms provider type is Manual, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) + && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - message: aws config is required when kms provider type is AWS, and forbidden otherwise rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index bfeefa11f36..d70ec8d40e1 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,17 +207,42 @@ spec: - keyARN - region type: object + manual: + description: |- + manual defines the configuration for manually managed KMS plugins. + The KMS plugin must be deployed as a static pod by the cluster admin. + properties: + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not + contain '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' + type: object type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are AWS, Manual. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: + - message: manual config with non-empty name is required when + kms provider type is Manual, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) + && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - message: aws config is required when kms provider type is AWS, and forbidden otherwise rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index a49976e0dfd..bb5e60c71dd 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,17 +207,42 @@ spec: - keyARN - region type: object + manual: + description: |- + manual defines the configuration for manually managed KMS plugins. + The KMS plugin must be deployed as a static pod by the cluster admin. + properties: + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not + contain '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' + type: object type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are AWS, Manual. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: + - message: manual config with non-empty name is required when + kms provider type is Manual, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) + && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - message: aws config is required when kms provider type is AWS, and forbidden otherwise rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws)